If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: Cracking FiOs Router Login:Pass

Have you tried looking at the source code for the page?

I have looked at the HTML and the JavaScript code. You will notice that the Verizon firmware uses an HTTP web form, and there are multiple INPUT fields. The firmware will check these multiple INPUT fields. In addition, the Verizon firmware generates different sessions and different session numbers and uses those as the INPUT field names / values, so you probably won't know the exact field beforehand.

For example, there are 3 password INPUT fields: passwordmask_1416335159, passwd1, and md5_pass. The first passwordmask INPUT field has a different number each time in its name. In this case, you can't just supply the password field name as a parameter in hydra because it might change later on. The passwd1 INPUT field is shown (not hidden), and this textbox is what you see changing the length of the password as you enter it. The md5_pass INPUT field stores the MD5 calculation.

In the MD5 calculation, look at the SendPassword() function of the JavaScript code.

What is auth_key? It is a new field! For example, the auth_key value is 332937039.

First, the value of the passwordmask_1416335159 and the auth_key fields are combined. Then, the combination is set to md5_pass value.
Next, the function calls another function to calculate the MD5 value of the previous combination, then stores it to a temporary variable, and stores the MD5 calculation to md5_pass value.
The passwordmask_1416335159 value is set to "".
Finally, the function submits the form.

From there, the Verizon firmware checks the MD5 calculations of the combined values. If they do not match, then the password fails.

As you can see, you have to take into account these session values and different INPUT fields and their names, as well as MD5 calculations. I don't think hydra or medusa have been designed for this scenario.
If this is true, then someone would have to re-write the code for this type of authentication.

Also, if you try to login too fast or create new sessions, you will get an error message:
"No more than 5 sessions at a time are allowed. Please wait until open sessions expire."

Re: Cracking FiOs Router Login:Pass

Originally Posted by Eatme

good, i guess Fi0s is secured from BT hurray!!

Actually, instead of modifying the source code of hydra or medusa, someone could write a small script that retrieves the login page and posts an HTTP web form with the correct fields. In that script, it could load a passwords list and tries logging in, like a bruteforce or dictionary attack.

Also, if you have not noticed, sometime in Fall 2010, Verizon has remotely logged into its customers' routers and changed everyone's default password to the serial number.

If someone were to attack a Verizon ActionTec router and the router credentials were once default, then the attacker would also have to keep in mind the 14-character serial number of the router.